From patchwork Sun Dec 24 05:01:54 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Ahelenia_Ziemia=C5=84ska?=
 <nabijaczleweli@nabijaczleweli.xyz>
X-Patchwork-Id: 183027
Return-Path: <linux-kernel+bounces-10635-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2483:b0:fb:cd0c:d3e with SMTP id q3csp1986304dyi;
        Sat, 23 Dec 2023 21:02:30 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IHWkHbKYE1Fd0jqHf+1B5FC1nl1laW9LxbIiyU6iaiPCOq1i6XJP05eDty43QrBOdOI00Li
X-Received: by 2002:a05:622a:1306:b0:423:76aa:b919 with SMTP id
 v6-20020a05622a130600b0042376aab919mr5406174qtk.16.1703394150449;
        Sat, 23 Dec 2023 21:02:30 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1703394150; cv=none;
        d=google.com; s=arc-20160816;
        b=U0k1G0djkAEvrmT6PGtHgib2ps2EumtYPJ8xYJCFdfzyrqi3O+gsm/O0QepkyTjDMM
         PjjyZGrm2GxStu9sFqkoNY2uG+PMeSN+IypiSPitTHnatKdZkzmmki7tspr9jLCKd8UK
         XSH1+3PWPwJH21sQV/jrGuOsbK53xY/x9WMZsDGTow8YVxoGyCu0xfUYqK4qwcN4OC7x
         tEJHe/kX/4tH+q4/iSXagUOtqZwnm6WFnJNSsRmXblBxq04VM3wrHCb96hGr6wjYjiHo
         bnGJSVBct54Tus4Ju7Km53V8BOIqCnGjYIsnNgp5AYUX/BBFOs8uvD2ucpWhLnL9DPHQ
         QT8w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=user-agent:in-reply-to:content-disposition:mime-version
         :list-unsubscribe:list-subscribe:list-id:precedence:references
         :message-id:subject:cc:from:date:dkim-signature;
        bh=G4h8mQF+FyGF+gXnL8CNm0i3AZN99/L/6h0f/1996EM=;
        fh=YYzPr6vNJCqQmcj5OnsVINfd5t/Ya/GY7ixzTRa/Lzk=;
        b=F68d/152GO3K0t2Q1h9vGQ2O0OENhp8w45dQ8hHcDr6ddV2jOEsBsOvOc0DCyYaV7v
         nsyGaoR2opjWT+9Q41+ZLCCbyO8X0uHJUxfHi5mMozFsd2BfVRWVfUZwPeJaYt35j3Lb
         +CaiRsSgiD3mWYQAdFn9PzWs55vfgLWCoQpmayB/pjt8dtjhsINxmJ1wn5qpGg1RVGT3
         ZUMFRShGWDBGROacrXszzj/R8A0sDS1IsobeHWLZ1Y8Dqp6uoGFBj2ObUCQm6MxO8gXD
         mKfSkeQ4qHW1HsKMtvsOcHYgBvkEqlaFXJfmC05TfTwEExlt6lOmWAi3r4FFlXm89cga
         CtXQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@nabijaczleweli.xyz header.s=202305
 header.b=aAOwHujo;
       spf=pass (google.com: domain of
 linux-kernel+bounces-10635-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45d1:ec00::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-10635-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=nabijaczleweli.xyz
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org.
 [2604:1380:45d1:ec00::1])
        by mx.google.com with ESMTPS id
 f15-20020ac87f0f000000b00425736063fbsi7872247qtk.292.2023.12.23.21.02.30
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 23 Dec 2023 21:02:30 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-10635-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@nabijaczleweli.xyz header.s=202305
 header.b=aAOwHujo;
       spf=pass (google.com: domain of
 linux-kernel+bounces-10635-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45d1:ec00::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-10635-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=nabijaczleweli.xyz
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 3FDD41C21107
	for <ouuuleilei@gmail.com>; Sun, 24 Dec 2023 05:02:30 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 4DC832106;
	Sun, 24 Dec 2023 05:02:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=nabijaczleweli.xyz
 header.i=@nabijaczleweli.xyz header.b="aAOwHujo"
X-Original-To: linux-kernel@vger.kernel.org
Received: from tarta.nabijaczleweli.xyz (tarta.nabijaczleweli.xyz
 [139.28.40.42])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5F4A2EBF;
	Sun, 24 Dec 2023 05:01:56 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=nabijaczleweli.xyz
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=nabijaczleweli.xyz
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nabijaczleweli.xyz;
	s=202305; t=1703394114;
	bh=hcGjNUWjUvKrg7W9sP+5Qf3cAGzvTS7z8iQNqmWoJVY=;
	h=Date:From:Cc:Subject:References:In-Reply-To:From;
	b=aAOwHujoZh8A8br2WcnveVFVVHZrmUqFKEiFz3ZvueLw1cv+Nhkmh6lG7MromTihE
	 zaNcru+0J6j8h75/bNzdmFU9LmG3owLRSXuGDKPLDxnxt5Lhi8XxYNgh0HU+NjRCun
	 s4kI0WhYqZIKpiwSP5WrdWH5C2oSF+hhmm8aEJdqB3cfE549aZjW7MnjNfdMulEjTV
	 V28w/uNF/O+hgwuSSCPMDRJ5HF/AQV+4OQANhSZv/PKVFumTBMTsG5QUItjt8EkwMS
	 AHvlJedggztRbSCbLmDKnaJtNBEyb+aE+Bee7H0HDiVB7FHKwwhDB9v9ELAQmxu4ph
	 9NewouF2HOMWQ==
Received: from tarta.nabijaczleweli.xyz (unknown [192.168.1.250])
	by tarta.nabijaczleweli.xyz (Postfix) with ESMTPSA id A5FBD1421E;
	Sun, 24 Dec 2023 06:01:54 +0100 (CET)
Date: Sun, 24 Dec 2023 06:01:54 +0100
From: Ahelenia =?utf-8?q?Ziemia=C5=84ska?= <nabijaczleweli@nabijaczleweli.xyz>
Cc: Jens Axboe <axboe@kernel.dk>, Christian Brauner <brauner@kernel.org>,
	Alexander Viro <viro@zeniv.linux.org.uk>, linux-fsdevel@vger.kernel.org,
 linux-kernel@vger.kernel.org,
	Miklos Szeredi <miklos@szeredi.hu>
Subject: [PATCH v2 14/11] fuse: allow splicing to trusted mounts only
Message-ID: 
 <7j2y6xumiqxpkpqlakrvoribzin73y2p2rokgryyahegjvwo3h@tarta.nabijaczleweli.xyz>
References: <cover.1703126594.git.nabijaczleweli@nabijaczleweli.xyz>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cover.1703126594.git.nabijaczleweli@nabijaczleweli.xyz>
User-Agent: NeoMutt/20231103
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1786138224653693455
X-GMAIL-MSGID: 1786138224653693455

FUSE tends to be installed suid 0: this allows normal users to mount
anything, including a program whose write implementation consists
of for(;;) sleep(1);, which, if splice were allowed, would sleep
forever with the pipe lock held.

Normal filesystems can only be mounted by root, and are thus deemed
safe. Extend this to when root mounts a FUSE filesystem and to
virtiofs, mirroring the splice_read "trusted" logic.

Signed-off-by: Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz>
---
 fs/fuse/file.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index 20bb16ddfcc9..62308af13396 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -3215,6 +3215,21 @@ static long fuse_splice_read(struct file *in, loff_t *ppos,
 	return -EINVAL;
 }
 
+static ssize_t
+fuse_splice_write(struct pipe_inode_info *pipe, struct file *out,
+		  loff_t *ppos, size_t len, unsigned int flags)
+{
+	struct inode *inode = file_inode(out);
+
+	if (fuse_is_bad(inode))
+		return -EIO;
+
+	if (get_fuse_conn(inode)->trusted)
+		return iter_file_splice_write(pipe, out, ppos, len, flags);
+
+	return -EINVAL;
+}
+
 static const struct file_operations fuse_file_operations = {
 	.llseek		= fuse_file_llseek,
 	.read_iter	= fuse_file_read_iter,
@@ -3228,7 +3243,7 @@ static const struct file_operations fuse_file_operations = {
 	.get_unmapped_area = thp_get_unmapped_area,
 	.flock		= fuse_file_flock,
 	.splice_read	= fuse_splice_read,
-	.splice_write	= iter_file_splice_write,
+	.splice_write	= fuse_splice_write,
 	.unlocked_ioctl	= fuse_file_ioctl,
 	.compat_ioctl	= fuse_file_compat_ioctl,
 	.poll		= fuse_file_poll,